Can security software keep pace with advanced threats?

Moderated by Ed Bott | June 9, 2014 -- 07:00 GMT (00:00 PDT)

Summary: The threat landscape has changed dramatically over the last decade. How well are security software companies keeping up with the new challenges?

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes

Yes

or

No

Larry Seltzer

Larry Seltzer

13%
88%

Audience Favored: No (88%)

The Rebuttal

  • Great Debate Moderator

    Welcome, readers!

    We'll be getting started promptly at 8am PT / 11am ET. Once the debate begins, this page should refresh automatically each time a new question or answer is posted. Are my debaters standing by?

    Posted by Ed Bott

    Ready here.


    Adrian Kingsley-Hughes

    I am for Yes

    Looking forward to it.


    Larry Seltzer

    I am for No

  • Great Debate Moderator

    OK first question:

    How has the threat landscape changed in the modern era, and how well are security software companies keeping up with those new challenges?

    Posted by Ed Bott

    The biggest game changer has been money

    Out are the jokes, the malware that just deleted files for formatted systems, and in is a new breed of malware that is designed specifically for building botnets, for espionage, and for holding data ransom.

    In other words, what's happened is that malware has moved from being the domain of the geeks and tech-heads to that of criminal gangs and rogue – and perhaps not so rogue – states who see digital as a way to make easy money.

    What does this mean in real terms? It means that more resources are being poured into finding resources – something which extends to buying zero day vulnerabilities for various operating systems direct from the hackers who find them in the first place – to researching hacks and vulnerabilities directly.

    Adrian Kingsley-Hughes

    I am for Yes

    The cutting edge

    The really scary mass-attack worms of ten years ago or more, like Nimda and Sasser, have been dead for a while. They were stopped not by security software as such, but by Microsoft taking security seriously in their products. Back before the security quality of many programs, principally Microsoft's, became acceptable, there really wasn't a way to secure ordinary users who had reasonable access to the Internet.

    Now, with modern software, including security software and intelligent policies for users and administration, you can protect yourself effectively against all but a very sophisticated attack.

    But if you're an important-enough target, a sophisticated attacker can probably still penetrate your network. This is why the cutting edge of security software is for systems that assume you will be attacked, and then monitor internal traffic looking for suspicious activity.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Types of software?

    Besides traditional signature-based antivirus software, which types of security products are important today?

    Posted by Ed Bott

    I would point to two things:

    Patches: Probably the first line of defense against nasties infiltrating your digital kingdom. Without proper patching, malware can sneak onto a system via the back door. While signature-based antivirus software is good at spotting malware that exploits operating system vulnerabilities, it is possible for zero day threats to walk right past an antivirus scanner.

    Endpoint software: The ability to control what connects to a network, and how, is an important part of the security jigsaw. Preventing certain system from connecting to a network – for example, those that haven't been patched, or are running outdated software, or that don't have an up-to-date virus scanner installed – is an effective way of preventing not only malware but also data theft.

    Adrian Kingsley-Hughes

    I am for Yes

    My first answer is patch management...

    ...and an aggressive policy of testing and applying patches. Zero-day attacks get a lot of attention, but the overwhelming majority of exploits are for vulnerabilities which have already been patched. The hard part of this is not the software, but the resources and authority to risk downtime and/or work after- hours.

    Privilege management is another critical area where you have to put in work. You can do it with just what Windows provides, but there are systems, such as those from BeyondTrust, which help a large and complicated organization adhere to the principle of least privilege.

    Finally authentication. All the time in real-world cases we see attacks which would have failed had two-factor authentication been in place. It's not necessary or desirable everywhere, but you should seek to employ it wherever possible.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Is all security software created equal?

    Is most of it "good enough" or are there big differences?

    Posted by Ed Bott

    Pretty much so

    The biggest differences really come down to user interface and usability, rather than the protection the software offers against malware.

    Adrian Kingsley-Hughes

    I am for Yes

    Some is better than none

    I guess there is a "good enough" in terms of protection, in the sense that the difference between 97% and 98% protection is unlikely to matter as much as other factors, like price and management features. Perhaps more important is that it's usually better to have some protection than none.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Third-party tests?

    How much should buyers rely on third-party tests when evaluating security software?

    Posted by Ed Bott

    In lieu of testing...

    While you'll come across quite a lot of third-party tests done on consumer grade security software, this isn't the case for the stuff aimed at the enterprise. However, on the plus side, most purveyors of enterprise security software will assist businesses in testing their platform, allowing business users to decide for themselves if the product is what they need.

    Adrian Kingsley-Hughes

    I am for Yes

    Rarer and less practical

    Third-party testing has become rarer and less practical in recent years, especially from an enterprise perspective. You can find good third-party tests of antivirus engines, and that's important, but it's rare and/or expensive to find tests that also consider enterprise management and deployment issues. Those tests are just too expensive to do. You'll either have to do them yourself or rely on a consultant, and perhaps that's for the best. It's an important decision and best made based on information about your organization and its other plans.

    For less-mainstream products, once again there are few third-party options.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Same software?

    Can the same software work for enterprises and small businesses alike?

    Posted by Ed Bott

    No

    This is where things get complex. Every business is different, with differing hardware platforms, differing use-case scenarios, all being used in different ways. But the gulf between a small business – say, five to 50 seats – is going to be very different to a business with thousands of seats, all the way from the infrastructure to the number of people who are responsible for keeping the IT running.

    Adrian Kingsley-Hughes

    I am for Yes

    Not often

    I'm going to define "small business" as very small, definitely under 100 seats. The endpoints aren't necessarily managed and there isn't necessarily a full-time administrator.

    With many products, large parts of the program are the same for the enterprise version down to the consumer version. Anti-malware engines are this way. But for an enterprise they need to behave very differently: to obtain updates from an enterprise proxy server rather than directly to the vendor over the Internet; to deploy through network-based deployment solutions, potentially with zero-touch by the administrator; to implement policies set by the administrator based on the organization's directory; and to report events centrally.

    Consumer and very small business products have to be designed to be as easy to use as possible or their support burden becomes too great for the vendor. Enterprises need more power and flexibility.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    How important is security software versus security policy?


    Posted by Ed Bott

    They go hand-in-hand

    The bottom line is that one isn't really effective without the other. It's a bit like asking what part of a bridge is the most important, the deck or the cables? Without both, neither can do their work.

    The same is true here. The two things go hand-in-hand, and any company that thinks it can choose one over the other is playing with fire.

     

    Adrian Kingsley-Hughes

    I am for Yes

    Both important, but one is harder

    Security software is nothing without good security policy and administration. On the other hand, good policy and administration aren't enough without good software.

    Sometimes the line between one and the other can be difficult to draw, because security software implements security policy. But even if software is involved, it's policy that says (for example) that your password must have no dictionary words and be at least 10 characters long.

    With good policy, users and servers will be much less likely to be hacked. If they are hacked, the consequences will be less severe and the problem will be discovered sooner. But software is especially good at noticing unusual circumstances which may or may not be malicious, like client connections from Brazil or a spike in mobile traffic.

    So in the end, they're both important. It's probably harder to implement good policy than good software.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Are businesses paying too much attention to desktop security...

    ...and not enough to securing their networks?

    Posted by Ed Bott

    Holistic approach needed

    I'm sure some are, while others are going the other way and spending masses on securing their networks but allowing anything and everything to connect to said network.

    I think the issue here has more to do with the fact that desktop vulnerabilities get a lot more media attention that network vulnerabilities do – hence the whole Windows vs. Mac vs. Linux debate – when in fact it is far better to look at the ecosystem as a whole, and see the desktop for what it is, which is a part of that ecosystem.

    By taking a more holistic approach, companies are better able to protect their digital empire because they see it in its entirety, as opposed to just seeing parts of it.

     

    Adrian Kingsley-Hughes

    I am for Yes

    Failures and best practices

    I don't know enough about how much money or attention is spent on each, but there's plenty of literature and guidelines on each. Client security software is much more mature and competitive because there's a consumer market that can subsidize development and marketing of business products.

    But especially in the web era, a large percentage of threats come in through weaknesses in servers and networks. We know that many organizations don't follow best practice guidelines for these servers and that exploits through SQL injection and other such techniques are still fairly common.

    But client exploits are still common as well. I'm struck by Cisco's description the recently ascendant Cryptowall ransomware: It infects through vulnerabilities in Java, Silverlight and Flash, all of which have been patched for about a year or two. Any exploits are purely a failure of policy.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Can a business just throw away desktop security software?


    Posted by Ed Bott

    Begging for trouble

    They can, just in the same way they can get rid of door locks and decide not to insure anything. But any company doing this is asking – no, begging – for trouble.


    What businesses should do is install desktop security, and then let that quietly do its job in the background.

     

    Adrian Kingsley-Hughes

    I am for Yes

    Good heavens no!

    Please everyone, the question was probably rhetorical, don't even joke about this!

    There are too many things that end users can do to a desktop system on even the best-protected network to leave the clients unprotected. This suggestion is the flip-side of the equally absurd "deperimeterization" fad of a few years ago, the idea of which was to put all the protection on the client. Defense-in-depth is always a good strategy in infosec.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Virtualization?

    Does virtualization offer any hope for the future of security software?

    Posted by Ed Bott

    No magic bullet

    There's no doubt that virtualization has – and will – bring greater levels of security to systems, but it is not the magic bullet that some claim it will be. While virtualization does bring with it security measures such as system isolation, going beyond the basics needs skill, experience, and resources.
    Another area where virtualization may aid security is in isolating certain applications from the system as a whole – for example, a browser.

    Again, remember that nothing in this world is foolproof – they keep making better and better fools – so a defense-in-depth computing approach is better than putting all your eggs in one basket.

    Adrian Kingsley-Hughes

    I am for Yes

    Absolutely

    And it's already used that way. Hypervisors are the right place to pub as much security function as possible, as they are protected from (if not completely impervious to) malicious action in the VM. As described in this VMWare document, virtualization provides a certain amount of security automatically, just by separating systems, but it also allows for special protection of kernel modules. There are anti-malware products that operate at the hypervisor level.

    It also allows for sophisticated virtualization of networking between virtual systems. VLANs are useful in separating traffic flows that don't need to be on a shared segment without having to separate them physically.

    It's all very powerful, but it's not automatic. It requires sophisticated administration.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    If an individual is smart and careful...

    ...can they safely go without any security software?

    Posted by Ed Bott

    Think smoke alarms

    My grandparents never had a smoke detector, and they never burned to death in their sleep. But I have smoke detectors fitted because it's a small price to pay to protect my family and myself.

    This is how I view security software. A switched-on individual could probably get away without running security software if they patched their system and took care as to what they did and what they installed. But outside of some weird bragging fetish or being able to free up a few extra megahertz of power from a system, seriously, why bother?

    The downsides of running security software are small, while the upsides are huge. And if someone doesn't want to spend money on it then there are many free alternatives available.

     

    Adrian Kingsley-Hughes

    I am for Yes

    Probably...

    I hesitate to say this in public, but the answer is "probably." When you say "without any security software" I'm going to assume you mean "beyond what is provided by the operating system". Even the smartest, most careful individual can get infected by malicious code in an advertising iframe on a legitimate site, but unless it's a really serious zero-day, the impact can be mitigated.

    I've done this myself for brief periods. I run antimalware on all my desktops, but in fact the antimalware hasn't blocked anything in years, because I'm careful. It's also possible that I've been exploited by malware that got past my antivirus and other measures, but I don't think so. Even so, I run antivirus because I don't want to have to kick myself for getting exploited because I didn't.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What about BYOD?

    In recent years we've seen a dramatic increase in BYOD devices, tablets, and smartphones. Is the security software industry keeping up with those post-PC devices?

    Posted by Ed Bott

    Ahead of the game

    I think that security companies are ahead of the game when it comes to post-PC devices. Countless security products exist for the various platforms at a time when malware is still – thankfully – rather thin on the ground. That said, the biggest job facing endpoint software when it comes to post-PC devices is not keeping devices free from malware, but preventing devices that have been jailbroken or rooted, or those devices that haven't been patched, from connecting to the corporate network.

    Another task that endpoint solutions are good for is recovering or remotely wiping lost and stolen devices, which, given how small and portable modern tablets and smartphones are, is a far bigger problem facing business that have adopted BYOD than malware currently is.

    Adrian Kingsley-Hughes

    I am for Yes

    Mobile security problem is theoretical

    The security problem from these devices, at least in terms of malware, remains a theoretical one, in spite of the potential for malware and vulnerability exploit being clear. Even so, mobile is an interesting demonstration of the convergence of policy and software in security.

    The EMM (Enterprise Mobility Management) business is big and growing like nuts. Over the last year or so, there has been a small wave of acquisitions of EMM companies by larger software companies (e.g. IBM buying Fiberlink, VMWare buys AirWatch, Good buys Boxtone) because everyone knows it's important. They're not just about security, they're about all network management.

    EMM products are all about implementing policy. They allow administrators to define a set of rules for clients to follow, as well as to push software to clients. The software is critical, but it's all about empowering administrators to take action.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    OK, final question: Is this a Windows-only problem?

    Would businesses be more secure if they switched to different platforms?

    Posted by Ed Bott

    Cybercriminals follow the money

    It's only seen as a Windows problem because of the dominance that Windows has in the computing world. Yes, companies might be safer if they ran OS X or Linux, but if everyone took that idea and ran with it, then the cybercriminals would follow the money and go after these platforms.

    Remember, zealotry over your chosen platform does nothing to protect you from someone who wants what you have!

    Again, it's better to stop thinking about the minutia of the system and take a more holistic approach, and adding defences as appropriate at all levels.

     

    Adrian Kingsley-Hughes

    I am for Yes

    Attackers follow certain patterns

    None of the alternative systems (with the arguable exception of iOS) is inherently any more secure than Windows, but in the real world there are certain patterns attackers follow. No matter how blatant and wide-open the vulnerabilities on the Mac are, attackers don't seem all that interested in writing Mac-specific attacks.

    I don't have numbers, but I think it's fair to say that at the server level, *NIX servers are compromised at least as much as Windows servers, probably more. Certainly in terms of published vulnerabilities, the average Windows Server (of at least the 2008 generation) is more secure than the average Linux server.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    That's a wrap

    Adrian and Larry, thanks for a great debate. Please submit your closing arguments by Wednesday morning. I will deliver my verdict on Thursday.

    Readers: Please cast your vote -- and feel free to add a comment below...

    Posted by Ed Bott

Talkback

73 comments
Log in or register to join the discussion
  • It'll always be an arms race.

    Unless something truly groundbreaking or magical happens - it'll always be an arms race.

    I just don't see a way around it. There will always be more flaws to find, and there will always be more tricks that criminals use that security software needs to deal with.

    I just don't see any end in sight. Security software can *maybe* keep pace, but that pace will eternally be changing.
    CobraA1
    Reply 59 Votes I'm Undecided
    • Only Possible To Slow Race

      There are two possible ways to slow the race but both are probably unacceptable. They will never totally stop it.

      1) A fundamental change in the web that makes hiding your identity much more difficult. This means things like using real names, etc. I think this is inevitable but I will probably not see it my life time.
      2) Government Action. This would take an international effort to strengthen laws and regulations. This could sharply increase risk and curtail profitability. It would never stop one government going after another one.
      MichaelInMA
      Reply 43 Votes I'm Undecided
  • Eternal vigilance

    I figured this one would be a no-brainer, but apparently not.
    John L. Ries
    Reply 54 Votes I'm for No
    • Part of the problem is that....

      it takes more than brains (re: "no-brainer") to work and live safely - and way too many folks either do not catch on, choose convenience over safety, or may indeed be too ignorant to make an intelligent decision.
      Willnott
      Reply 52 Votes I'm Undecided
      • LOL! Well Said

        Thanks for the morning laugh.
        GotThumbs
        Reply 33 Votes I'm Undecided
      • Ignorant

        Ignorance does not lead to unintelligent, it leads to uninformed. Stupidity leads to unintelligent.
        DKFlorida
        Reply 26 Votes I'm Undecided
  • Not a chance.

    The problem is that vendors release bugs faster than they fix them. Next, the "security software" can't paper over the bugs until the bugs are identified - thus there is always a delay.

    The only way to keep up is for vendors to release fewer bugs, and fix them faster than they can be exploited.
    jessepollard
    Reply 54 Votes I'm for No
    • Or if you're a big organization...

      ...and you use open source software, you can always put some of your own people to work finding and fixing bugs. In that case, you're not entirely dependent on the vendor.
      John L. Ries
      Reply 55 Votes I'm Undecided
      • And...

        ...as a consequence, you end up with some in-house security expertise (less need to rely on consultants).
        John L. Ries
        Reply 47 Votes I'm Undecided
        • Quality Not Consistent

          There are a lot of different skill levels. Not every company would have or could afford the best. Also there are different kinds of threats that that take different expertise. Only consultants with large dedicated staffs can have the level of expertise needs. In-house is not a solution.

          One of the primary laws of software is there is no software that is totally bug free except that which is obsolete and no longer used. It is kind of like a dead organism. It will not catch any new diseases that will kill it.
          MichaelInMA
          Reply 36 Votes I'm Undecided